Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 15
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
People’s Congress, released on March 14, 2025,
stated that an amendment of CSL is one
of the legislative priorities for the Chinese
government in 2025. To date, there hasn’t been
a new draft for public consultation regarding
the amendments to the CSL. It remains
uncertain whether future updates will be
included in addition to the increased
legal responsibilities.
The Rules on the Protection of the
Security for Critical Information
Infrastructure
The Rules on the Protection of the Security for
Critical Information Infrastructure (the CII
Rules), effective from September 1, 2021,
provide guidance on whether or not an
organisation is CIIO and requires CIIO to only
deploy safe and reliable network products and
services. For network products and services
that may affect national security, CIIO shall
complete a national security review.
When setting the standards for the
identification of CIIs in different industries,
industry regulators are required to consider
the following:
· The degree of importance of network
facilities or information systems to the core
business of the corresponding industry
or sector.
· The degree of harm that might be caused by
the network facility’s or information system’s
destruction, loss of function, or data
leakage; and,
· Any other related impact on other industries
or sectors.
· Some of the key obligations in relation to CIIs
include the obligation to:
· Design, implement, and utilise security
protection measures;
15
· Establish a comprehensive security
protection and accountability system;
· Establish a specified security management
body, which will be responsible for security
protection works;
· Carry out network security testing and risk
assessment at least once a year; and,
· Report significant cybersecurity incidents to
the relevant public security organs, etc.
Further, CIIOs that store or handle information
that involves state secret information are
subject to certain State secret laws and
regulations and CIIOs that utilise commercial
encryption products are subject to relevant
encryption regulations.
CIIOs found to have breached the CII Rules
are liable to provisional warnings, correctional
orders, a fine of up to RMB 1,000,000 and
confiscation of revenue illegally obtained.
The Data Security Law
Next in line of the three primary data and
cybersecurity laws, the DSL, which came into
effect September 1, 2021, provides a set of
high-level national data security principles
and policies, and the main elements of which
are: (a) the establishment of basic mechanisms
for data security management, such as data
classification and management, data security
risk assessment, monitoring, warning and
emergency response; (b) the data security
protection obligations of organisations and
individuals carrying out data-related activities;
(c) measures to support the promotion and
development of data security; and (d) the
establishment of mechanisms to guarantee the
security of government data, and promote the
openness of government data.
It is important to understand that, whereas the
CSL is primarily concerned with the regulation
of ICT infrastructure and networks in China
